Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 23:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe
-
Size
94KB
-
MD5
d70fdb3c2cc85afe82aba9412ed77fb0
-
SHA1
093de3c1353160cd77e6c6587d907b47af59a627
-
SHA256
0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c
-
SHA512
ddbf8e5506ff69e2390aae709e7cde239c7c3b42d7e6317bf80d641f79b41c616dcd36f544291553667b5c6dc78d9dabb90d7e9d16d3342f754046524efcb2ac
-
SSDEEP
1536:HjzRGv2ebA5LXvylstxX/KvIyR+mH7IK6QV5pFaf2LXoaIZTJ+7LhkiB0MPiKeEJ:Dz8v2i7YK6QhF54aMU7uihJ5v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbcfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjpblip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiccofna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhdokbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckdlnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahdggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgojpjem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2340 Kjhdokbo.exe 2368 Kfoedl32.exe 2704 Kebepion.exe 2736 Knjiin32.exe 2516 Kipnfged.exe 2488 Komfnnck.exe 2984 Kakbjibo.exe 2556 Khekgc32.exe 2820 Kdlkld32.exe 1272 Llccmb32.exe 2020 Lkfciogm.exe 2300 Lhjdbcef.exe 1588 Lfmdnp32.exe 2228 Labhkh32.exe 1720 Lhlqhb32.exe 1740 Lkkmdn32.exe 640 Lganiohl.exe 1796 Lipjejgp.exe 1084 Lgdjnofi.exe 1660 Lmnbkinf.exe 1396 Mcjkcplm.exe 3064 Mgfgdn32.exe 556 Mhgclfje.exe 1764 Mcmhiojk.exe 3048 Mcodno32.exe 2568 Mabejlob.exe 2868 Mhlmgf32.exe 2648 Madapkmp.exe 2656 Mhnjle32.exe 2508 Mohbip32.exe 848 Mdejaf32.exe 2812 Nnnojlpa.exe 1328 Naikkk32.exe 748 Ngfcca32.exe 1980 Nnplpl32.exe 1792 Npnhlg32.exe 1676 Ndjdlffl.exe 1688 Nghphaeo.exe 2248 Njgldmdc.exe 2472 Nnbhek32.exe 2432 Nocemcbj.exe 632 Ncoamb32.exe 1748 Ngkmnacm.exe 2328 Njiijlbp.exe 880 Nlgefh32.exe 900 Nofabc32.exe 1392 Nbdnoo32.exe 3024 Njkfpl32.exe 2632 Nmjblg32.exe 2748 Nohnhc32.exe 2740 Nbfjdn32.exe 1044 Ofbfdmeb.exe 2816 Ohqbqhde.exe 2800 Omloag32.exe 2944 Oojknblb.exe 1888 Obigjnkf.exe 1668 Odgcfijj.exe 2252 Ogfpbeim.exe 2896 Okalbc32.exe 2468 Onphoo32.exe 700 Oqndkj32.exe 1916 Odjpkihg.exe 288 Oghlgdgk.exe 1264 Onbddoog.exe -
Loads dropped DLL 64 IoCs
pid Process 1200 0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe 1200 0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe 2340 Kjhdokbo.exe 2340 Kjhdokbo.exe 2368 Kfoedl32.exe 2368 Kfoedl32.exe 2704 Kebepion.exe 2704 Kebepion.exe 2736 Knjiin32.exe 2736 Knjiin32.exe 2516 Kipnfged.exe 2516 Kipnfged.exe 2488 Komfnnck.exe 2488 Komfnnck.exe 2984 Kakbjibo.exe 2984 Kakbjibo.exe 2556 Khekgc32.exe 2556 Khekgc32.exe 2820 Kdlkld32.exe 2820 Kdlkld32.exe 1272 Llccmb32.exe 1272 Llccmb32.exe 2020 Lkfciogm.exe 2020 Lkfciogm.exe 2300 Lhjdbcef.exe 2300 Lhjdbcef.exe 1588 Lfmdnp32.exe 1588 Lfmdnp32.exe 2228 Labhkh32.exe 2228 Labhkh32.exe 1720 Lhlqhb32.exe 1720 Lhlqhb32.exe 1740 Lkkmdn32.exe 1740 Lkkmdn32.exe 640 Lganiohl.exe 640 Lganiohl.exe 1796 Lipjejgp.exe 1796 Lipjejgp.exe 1084 Lgdjnofi.exe 1084 Lgdjnofi.exe 1660 Lmnbkinf.exe 1660 Lmnbkinf.exe 1396 Mcjkcplm.exe 1396 Mcjkcplm.exe 3064 Mgfgdn32.exe 3064 Mgfgdn32.exe 556 Mhgclfje.exe 556 Mhgclfje.exe 1764 Mcmhiojk.exe 1764 Mcmhiojk.exe 3048 Mcodno32.exe 3048 Mcodno32.exe 2568 Mabejlob.exe 2568 Mabejlob.exe 2868 Mhlmgf32.exe 2868 Mhlmgf32.exe 2648 Madapkmp.exe 2648 Madapkmp.exe 2656 Mhnjle32.exe 2656 Mhnjle32.exe 2508 Mohbip32.exe 2508 Mohbip32.exe 848 Mdejaf32.exe 848 Mdejaf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iadacpgf.dll Process not Found File created C:\Windows\SysWOW64\Hcdnhoac.exe Process not Found File created C:\Windows\SysWOW64\Nolcnd32.dll Iggkllpe.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Icmqhn32.dll Qjnmlk32.exe File created C:\Windows\SysWOW64\Cpmddpid.dll Process not Found File created C:\Windows\SysWOW64\Niebgj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File opened for modification C:\Windows\SysWOW64\Heihnoph.exe Hmbpmapf.exe File opened for modification C:\Windows\SysWOW64\Ioilkblq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jimbkh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahgofi32.exe Process not Found File created C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Cgbfamff.exe Cddjebgb.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Process not Found File created C:\Windows\SysWOW64\Qjmkcbcb.exe Qljkhe32.exe File opened for modification C:\Windows\SysWOW64\Mbeiefff.exe Process not Found File created C:\Windows\SysWOW64\Hckabh32.dll Process not Found File created C:\Windows\SysWOW64\Foojop32.exe Process not Found File created C:\Windows\SysWOW64\Lhgccebd.dll Process not Found File created C:\Windows\SysWOW64\Bmcfln32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pahogc32.exe Process not Found File created C:\Windows\SysWOW64\Blibjh32.dll Process not Found File created C:\Windows\SysWOW64\Ddblgn32.exe Process not Found File created C:\Windows\SysWOW64\Jajcdjca.exe Process not Found File created C:\Windows\SysWOW64\Kkjcplpa.exe Kocbkk32.exe File created C:\Windows\SysWOW64\Dfmcfjpo.dll Process not Found File created C:\Windows\SysWOW64\Ojefcohi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dojddmec.exe Process not Found File created C:\Windows\SysWOW64\Difnaqih.exe Process not Found File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Process not Found File created C:\Windows\SysWOW64\Kfnpea32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Beehencq.exe Bbflib32.exe File created C:\Windows\SysWOW64\Ilfila32.dll Pckoam32.exe File opened for modification C:\Windows\SysWOW64\Gfehan32.exe Gbjlaplk.exe File opened for modification C:\Windows\SysWOW64\Kokjdb32.exe Process not Found File created C:\Windows\SysWOW64\Hadlijdb.dll Process not Found File created C:\Windows\SysWOW64\Inoaljog.dll Process not Found File opened for modification C:\Windows\SysWOW64\Joaeeklp.exe Jnpinc32.exe File created C:\Windows\SysWOW64\Dcnqanhd.exe Dldhdc32.exe File created C:\Windows\SysWOW64\Qogbdl32.exe Process not Found File created C:\Windows\SysWOW64\Kganqf32.dll Qgoapp32.exe File opened for modification C:\Windows\SysWOW64\Ehoocgeb.exe Edccch32.exe File opened for modification C:\Windows\SysWOW64\Enkpahon.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jlckbh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mijamjnm.exe Process not Found File created C:\Windows\SysWOW64\Ccfhhffh.exe Cphlljge.exe File created C:\Windows\SysWOW64\Hoikeh32.dll Gbaileio.exe File opened for modification C:\Windows\SysWOW64\Kocbkk32.exe Kqqboncb.exe File created C:\Windows\SysWOW64\Oidiekdn.exe Process not Found File created C:\Windows\SysWOW64\Pmpbdm32.exe Process not Found File created C:\Windows\SysWOW64\Qobbofgn.exe Process not Found File created C:\Windows\SysWOW64\Gggpgo32.dll Process not Found File created C:\Windows\SysWOW64\Kemedbfd.dll Mbpnanch.exe File created C:\Windows\SysWOW64\Daipqhdg.exe Process not Found File created C:\Windows\SysWOW64\Mdcagkgd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dodafoni.exe Dlfejcoe.exe File opened for modification C:\Windows\SysWOW64\Mlpneh32.exe Process not Found File created C:\Windows\SysWOW64\Lkihjf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Imfqjbli.exe Ijgdngmf.exe File created C:\Windows\SysWOW64\Mdkjlm32.dll Nkbhgojk.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Kigbna32.dll Jnffgd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8784 8820 Process not Found 2045 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmkfmdne.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naimccpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejloak32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onjgiiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neplhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfdd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homdpk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkghm32.dll" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgagfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjcplpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll" Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknhnalm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfmokdk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefqie32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjlgmlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffcllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmhnp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elilld32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmngmj32.dll" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll" Pmjqcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 2340 1200 0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe 28 PID 1200 wrote to memory of 2340 1200 0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe 28 PID 1200 wrote to memory of 2340 1200 0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe 28 PID 1200 wrote to memory of 2340 1200 0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe 28 PID 2340 wrote to memory of 2368 2340 Kjhdokbo.exe 29 PID 2340 wrote to memory of 2368 2340 Kjhdokbo.exe 29 PID 2340 wrote to memory of 2368 2340 Kjhdokbo.exe 29 PID 2340 wrote to memory of 2368 2340 Kjhdokbo.exe 29 PID 2368 wrote to memory of 2704 2368 Kfoedl32.exe 30 PID 2368 wrote to memory of 2704 2368 Kfoedl32.exe 30 PID 2368 wrote to memory of 2704 2368 Kfoedl32.exe 30 PID 2368 wrote to memory of 2704 2368 Kfoedl32.exe 30 PID 2704 wrote to memory of 2736 2704 Kebepion.exe 31 PID 2704 wrote to memory of 2736 2704 Kebepion.exe 31 PID 2704 wrote to memory of 2736 2704 Kebepion.exe 31 PID 2704 wrote to memory of 2736 2704 Kebepion.exe 31 PID 2736 wrote to memory of 2516 2736 Knjiin32.exe 32 PID 2736 wrote to memory of 2516 2736 Knjiin32.exe 32 PID 2736 wrote to memory of 2516 2736 Knjiin32.exe 32 PID 2736 wrote to memory of 2516 2736 Knjiin32.exe 32 PID 2516 wrote to memory of 2488 2516 Kipnfged.exe 33 PID 2516 wrote to memory of 2488 2516 Kipnfged.exe 33 PID 2516 wrote to memory of 2488 2516 Kipnfged.exe 33 PID 2516 wrote to memory of 2488 2516 Kipnfged.exe 33 PID 2488 wrote to memory of 2984 2488 Komfnnck.exe 34 PID 2488 wrote to memory of 2984 2488 Komfnnck.exe 34 PID 2488 wrote to memory of 2984 2488 Komfnnck.exe 34 PID 2488 wrote to memory of 2984 2488 Komfnnck.exe 34 PID 2984 wrote to memory of 2556 2984 Kakbjibo.exe 35 PID 2984 wrote to memory of 2556 2984 Kakbjibo.exe 35 PID 2984 wrote to memory of 2556 2984 Kakbjibo.exe 35 PID 2984 wrote to memory of 2556 2984 Kakbjibo.exe 35 PID 2556 wrote to memory of 2820 2556 Khekgc32.exe 36 PID 2556 wrote to memory of 2820 2556 Khekgc32.exe 36 PID 2556 wrote to memory of 2820 2556 Khekgc32.exe 36 PID 2556 wrote to memory of 2820 2556 Khekgc32.exe 36 PID 2820 wrote to memory of 1272 2820 Kdlkld32.exe 37 PID 2820 wrote to memory of 1272 2820 Kdlkld32.exe 37 PID 2820 wrote to memory of 1272 2820 Kdlkld32.exe 37 PID 2820 wrote to memory of 1272 2820 Kdlkld32.exe 37 PID 1272 wrote to memory of 2020 1272 Llccmb32.exe 38 PID 1272 wrote to memory of 2020 1272 Llccmb32.exe 38 PID 1272 wrote to memory of 2020 1272 Llccmb32.exe 38 PID 1272 wrote to memory of 2020 1272 Llccmb32.exe 38 PID 2020 wrote to memory of 2300 2020 Lkfciogm.exe 39 PID 2020 wrote to memory of 2300 2020 Lkfciogm.exe 39 PID 2020 wrote to memory of 2300 2020 Lkfciogm.exe 39 PID 2020 wrote to memory of 2300 2020 Lkfciogm.exe 39 PID 2300 wrote to memory of 1588 2300 Lhjdbcef.exe 40 PID 2300 wrote to memory of 1588 2300 Lhjdbcef.exe 40 PID 2300 wrote to memory of 1588 2300 Lhjdbcef.exe 40 PID 2300 wrote to memory of 1588 2300 Lhjdbcef.exe 40 PID 1588 wrote to memory of 2228 1588 Lfmdnp32.exe 41 PID 1588 wrote to memory of 2228 1588 Lfmdnp32.exe 41 PID 1588 wrote to memory of 2228 1588 Lfmdnp32.exe 41 PID 1588 wrote to memory of 2228 1588 Lfmdnp32.exe 41 PID 2228 wrote to memory of 1720 2228 Labhkh32.exe 42 PID 2228 wrote to memory of 1720 2228 Labhkh32.exe 42 PID 2228 wrote to memory of 1720 2228 Labhkh32.exe 42 PID 2228 wrote to memory of 1720 2228 Labhkh32.exe 42 PID 1720 wrote to memory of 1740 1720 Lhlqhb32.exe 43 PID 1720 wrote to memory of 1740 1720 Lhlqhb32.exe 43 PID 1720 wrote to memory of 1740 1720 Lhlqhb32.exe 43 PID 1720 wrote to memory of 1740 1720 Lhlqhb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe34⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe35⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe36⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe38⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe40⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe41⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe42⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe44⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe45⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe46⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe47⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe48⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe49⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe50⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe51⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe53⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe54⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe55⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe56⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe57⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe58⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe59⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe60⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe61⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe62⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe63⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe64⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe65⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe67⤵PID:1712
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe68⤵PID:2420
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe69⤵PID:892
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe70⤵PID:3040
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe71⤵PID:2500
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe72⤵PID:2144
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe73⤵PID:2136
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe75⤵PID:2016
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe76⤵PID:1976
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe77⤵PID:2380
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe78⤵PID:2900
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe79⤵PID:2840
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe80⤵PID:1268
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe81⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe82⤵PID:2456
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe83⤵PID:1144
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe84⤵PID:1776
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe85⤵PID:2920
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe86⤵PID:2100
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe87⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe88⤵PID:2660
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe89⤵PID:2544
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe90⤵PID:2788
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe91⤵PID:1840
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe92⤵PID:1992
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe93⤵PID:280
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe95⤵PID:2072
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe96⤵PID:1256
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe97⤵PID:1156
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe98⤵PID:944
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe99⤵PID:2908
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe100⤵PID:2264
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe101⤵PID:2388
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe102⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe103⤵PID:2564
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe104⤵PID:2588
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe105⤵PID:2004
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe106⤵PID:1672
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe107⤵PID:1556
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe108⤵PID:1484
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe109⤵PID:2316
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe110⤵PID:1136
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe111⤵PID:1616
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe112⤵PID:2904
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe113⤵PID:2856
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe114⤵PID:2752
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe115⤵PID:2336
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe116⤵PID:2844
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe117⤵PID:2552
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe118⤵PID:304
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe119⤵PID:2080
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe120⤵PID:768
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe121⤵PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-